mmintel/klz-cables.com
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: Broaden middleware's internal URL correction to include hosts like klz-app and localhost, and update Varnish's health check URL to /health.
All checks were successful
Build & Deploy KLZ Cables / 🔍 Prepare Environment (push) Successful in 7s
Details
Build & Deploy KLZ Cables / 🧪 Quality Assurance (push) Successful in 1m31s
Details
Build & Deploy KLZ Cables / 🏗️ Build Gatekeeper (push) Successful in 23s
Details
Build & Deploy KLZ Cables / 🏗️ Build App (push) Successful in 5m7s
Details
Build & Deploy KLZ Cables / 🚀 Deploy (push) Successful in 50s
Details
Build & Deploy KLZ Cables / ⚡ PageSpeed (push) Successful in 9m7s
Details
Build & Deploy KLZ Cables / 🔔 Notifications (push) Successful in 2s
Details

Browse Source
This commit is contained in:
Marc Mintel
2026-02-06 13:23:26 +01:00
parent b74f6b6f9e
commit ebe67afd73
2 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
middleware.ts
View File

@@ -19,25 +19,31 @@ export default function middleware(request: NextRequest) {
headerObj[key] = value; headerObj[key] = value;
}); });
// Defensive URL correction // Defensive URL correction for internal container leakage (0.0.0.0, klz-app, localhost)
// If the URL contains 0.0.0.0 (internal IP), we rebuild it using the Host header // This prevents hydration mismatches and host poisoning in generated links/metadata.
const urlObj = new URL(url);
const internalHosts = ['0.0.0.0', 'klz-app', 'localhost', '127.0.0.1'];
let effectiveRequest = request; let effectiveRequest = request;
if (url.includes('0.0.0.0')) { if (internalHosts.includes(urlObj.hostname)) {
const proto = headers.get('x-forwarded-proto') || 'https'; const proto = headers.get('x-forwarded-proto') || 'https';
const host = headers.get('x-forwarded-host') || headers.get('host') || 'testing.klz-cables.com'; // Prioritize x-forwarded-host (passed by Traefik) over the local Host header
const newUrl = new URL(url); const hostHeader =
newUrl.protocol = proto; headers.get('x-forwarded-host') || headers.get('host') || 'testing.klz-cables.com';
// Split host to remove port if present const [publicHostname] = hostHeader.split(':');
const [hostname] = host.split(':');
newUrl.hostname = hostname; urlObj.protocol = proto;
newUrl.port = ''; // Explicitly clear the port to avoid leaking :3000 urlObj.hostname = publicHostname;
effectiveRequest = new NextRequest(newUrl, { urlObj.port = ''; // Explicitly clear internal port (3000)
effectiveRequest = new NextRequest(urlObj, {
headers: request.headers, headers: request.headers,
method: request.method, method: request.method,
body: request.body, body: request.body,
}); });
console.log( console.log(
`Replaced 0.0.0.0 URL with: ${newUrl.toString()} | Original Host: ${headers.get('host')} | Forwarded Host: ${headers.get('x-forwarded-host')}`, `🛡️ Middleware: Fixed internal URL leak: ${url} -> ${urlObj.toString()} | Proto: ${proto} | Host: ${hostHeader}`,
); );
} }

2
varnish/default.vcl
View File

@@ -3,7 +3,7 @@ vcl 4.1;
import std; import std;
probe default_probe { probe default_probe {
.url = "/en"; .url = "/health";
.timeout = 2s; .timeout = 2s;
.interval = 5s; .interval = 5s;
.window = 5; .window = 5;